diff options
Diffstat (limited to 'bin/dnssec')
-rw-r--r-- | bin/dnssec/dnssec-keyfromlabel.c | 2 | ||||
-rw-r--r-- | bin/dnssec/dnssec-keygen.c | 12 | ||||
-rw-r--r-- | bin/dnssec/dnssec-revoke.c | 3 | ||||
-rw-r--r-- | bin/dnssec/dnssec-settime.c | 35 | ||||
-rw-r--r-- | bin/dnssec/dnssec-signzone.c | 61 |
5 files changed, 94 insertions, 19 deletions
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index e91e02d..6572d4c 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -356,6 +356,8 @@ main(int argc, char **argv) { fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n" "If you still wish to use RSA (RSAMD5) please " "specify \"-a RSAMD5\"\n"); + if (freeit != NULL) + free(freeit); return (1); } else { r.base = algname; diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 8af100c..3d22f99 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -526,6 +526,7 @@ main(int argc, char **argv) { "recommended.\nIf you still wish to " "use RSA (RSAMD5) please specify " "\"-a RSAMD5\"\n"); + INSIST(freeit == NULL); return (1); } else if (strcasecmp(algname, "HMAC-MD5") == 0) alg = DST_ALG_HMACMD5; @@ -960,8 +961,15 @@ main(int argc, char **argv) { dst_key_settime(key, DST_TIME_INACTIVE, inactive); - if (setdel) + if (setdel) { + if (setinact && delete < inactive) + fprintf(stderr, "%s: warning: Key is " + "scheduled to be deleted " + "before it is scheduled to be " + "made inactive.\n", + program); dst_key_settime(key, DST_TIME_DELETE, delete); + } } else { if (setpub || setact || setrev || setinact || setdel || unsetpub || unsetact || diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 8346f1c..fb116e6 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -20,7 +20,6 @@ #include <config.h> -#include <libgen.h> #include <stdlib.h> #include <unistd.h> diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index f7f4486..a7fbed3 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009-2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -20,7 +20,6 @@ #include <config.h> -#include <libgen.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> @@ -140,6 +139,7 @@ main(int argc, char **argv) { int prepub = -1; isc_stdtime_t now; isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0; + isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0; isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE; isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE; isc_boolean_t setdel = ISC_FALSE; @@ -344,7 +344,6 @@ main(int argc, char **argv) { if (predecessor != NULL) { char keystr[DST_KEY_FORMATSIZE]; - isc_stdtime_t when; int major, minor; if (prepub == -1) @@ -376,19 +375,20 @@ main(int argc, char **argv) { fatal("Predecessor has incompatible format " "version %d.%d\n\t", major, minor); - result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when); + result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact); if (result != ISC_R_SUCCESS) fatal("Predecessor has no activation date. " "You must set one before\n\t" "generating a successor."); - result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act); + result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, + &previnact); if (result != ISC_R_SUCCESS) fatal("Predecessor has no inactivation date. " "You must set one before\n\t" "generating a successor."); - pub = act - prepub; + pub = prevact - prepub; if (pub < now && prepub != 0) fatal("Predecessor will become inactive before the\n\t" "prepublication period ends. Either change " @@ -396,13 +396,18 @@ main(int argc, char **argv) { "or use the -i option to set a shorter " "prepublication interval."); - result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when); + result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel); if (result != ISC_R_SUCCESS) - fprintf(stderr, "%s: WARNING: Predecessor has no " + fprintf(stderr, "%s: warning: Predecessor has no " "removal date;\n\t" "it will remain in the zone " "indefinitely after rollover.\n", program); + else if (prevdel < previnact) + fprintf(stderr, "%s: warning: Predecessor is " + "scheduled to be deleted\n\t" + "before it is scheduled to be " + "inactive.\n", program); changed = setpub = setact = ISC_TRUE; dst_key_free(&prevkey); @@ -464,6 +469,20 @@ main(int argc, char **argv) { fatal("Key flags mismatch"); } + prevdel = previnact = 0; + if ((setdel && setinact && del < inact) || + (dst_key_gettime(key, DST_TIME_INACTIVE, + &previnact) == ISC_R_SUCCESS && + setdel && !setinact && del < previnact) || + (dst_key_gettime(key, DST_TIME_DELETE, + &prevdel) == ISC_R_SUCCESS && + setinact && !setdel && prevdel < inact) || + (!setdel && !setinact && prevdel < previnact)) + fprintf(stderr, "%s: warning: Key is scheduled to " + "be deleted before it is\n\t" + "scheduled to be inactive.\n", + program); + if (force) set_keyversion(key); else diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 2376249..86c3aee 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -646,6 +646,8 @@ hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len) if (l->entries == l->size) { l->size = l->size * 2 + 100; l->hashbuf = realloc(l->hashbuf, l->size * l->length); + if (l->hashbuf == NULL) + fatal("unable to grow hashlist: out of memory"); } memset(l->hashbuf + l->entries * l->length, 0, l->length); memcpy(l->hashbuf + l->entries * l->length, hash, len); @@ -2027,7 +2029,9 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) { * Remove records of the given type and their signatures. */ static void -remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { +remove_records(dns_dbnode_t *node, dns_rdatatype_t which, + isc_boolean_t checknsec) +{ isc_result_t result; dns_rdatatype_t type, covers; dns_rdatasetiter_t *rdsiter = NULL; @@ -2048,10 +2052,12 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { covers = rdataset.covers; dns_rdataset_disassociate(&rdataset); if (type == which || covers == which) { - if (which == dns_rdatatype_nsec && !update_chain) + if (which == dns_rdatatype_nsec && + checknsec && !update_chain) fatal("Zone contains NSEC records. Use -u " "to update to NSEC3."); - if (which == dns_rdatatype_nsec3param && !update_chain) + if (which == dns_rdatatype_nsec3param && + checknsec && !update_chain) fatal("Zone contains NSEC3 chains. Use -u " "to update to NSEC."); result = dns_db_deleterdataset(gdb, node, gversion, @@ -2063,6 +2069,39 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) { dns_rdatasetiter_destroy(&rdsiter); } +/* + * Remove signatures covering the given type (0 == all signatures). + */ +static void +remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) { + isc_result_t result; + dns_rdatatype_t type, covers; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdataset_t rdataset; + + dns_rdataset_init(&rdataset); + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + + if (type == dns_rdatatype_rrsig && + (covers == which || which == 0)) + { + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, "dns_db_deleterdataset()"); + continue; + } + } + dns_rdatasetiter_destroy(&rdsiter); +} + /*% * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records. */ @@ -2139,14 +2178,17 @@ nsecify(void) { } if (dns_name_equal(name, gorigin)) - remove_records(node, dns_rdatatype_nsec3param); + remove_records(node, dns_rdatatype_nsec3param, + ISC_TRUE); if (delegation(name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); + remove_sigs(node, 0); if (generateds) add_ds(name, node, nsttl); } + result = dns_dbiterator_next(dbiter); nextnode = NULL; while (result == ISC_R_SUCCESS) { @@ -2164,6 +2206,9 @@ nsecify(void) { (zonecut != NULL && dns_name_issubdomain(nextname, zonecut))) { + remove_sigs(nextnode, 0); + remove_records(nextnode, dns_rdatatype_nsec, + ISC_FALSE); dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2555,7 +2600,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, } if (dns_name_equal(name, gorigin)) - remove_records(node, dns_rdatatype_nsec); + remove_records(node, dns_rdatatype_nsec, ISC_TRUE); result = dns_dbiterator_next(dbiter); nextnode = NULL; @@ -2572,6 +2617,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, if (!dns_name_issubdomain(nextname, gorigin) || (zonecut != NULL && dns_name_issubdomain(nextname, zonecut))) { + remove_sigs(nextnode, 0); dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2579,6 +2625,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, if (delegation(nextname, nextnode, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(nextname, zonecut, NULL); + remove_sigs(nextnode, 0); if (generateds) add_ds(nextname, nextnode, nsttl); if (OPTOUT(nsec3flags) && @@ -3011,7 +3058,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt, dns_rdata_nsec3_t nsec3; dns_fixedname_t fname; dns_name_t *hashname; - unsigned char orig_salt[256]; + unsigned char orig_salt[255]; size_t orig_saltlen; dns_hash_t orig_hash; isc_uint16_t orig_iter; |